Generous Xinuos Donation

Submitted by Shawn Webb on

On 05 October 2015, Xinuos™, a leading provider of UNIX-based operating systems has announced funding for the HardenedBSD project’s efforts to develop security enhancements for FreeBSD. Xinuos has contributed half of the $7,000 fundraising goal for hardware updates, hosting requirements and investigation into the formation of a not-for-profit.

The HardenedBSD project was created in 2014 by Oliver Pinter and Shawn Webb to continuously add security hardening features to FreeBSD, the open source operating system powering some of the world’s busiest services including Netflix, OKCupid and WhatsApp. Over the past year, HardenedBSD has implemented a number of advanced exploit mitigation technologies and security hardening features which were subsequently submitted upstream to FreeBSD.

“We are excited about the work we’re doing for this widely used operating system,” said Shawn Webb, HardenedBSD co-founder. “The contribution from Xinuos goes a long way toward developing new features.”

The HardenedBSD project started with the development of the Address Space Layout Randomization (ASLR) feature which helps prevent attackers from exploiting vulnerabilities in FreeBSD by making it hard for them to find vulnerabilities within memory. Other work includes SEGVGUARD, mprotect and pageexec hardening and procfs/linprocfs hardening to further block attacks on FreeBSD systems.

The project hopes to raise $7,000 by the end of 2015 to purchase new hard drives, web site hosting and begin work to form a not-for-profit organization. In September, Xinuos contributed $3,500 toward this goal as part of their commitment to the FreeBSD community.

“There couldn’t be a better time for this project and the security enhancements they’re looking to develop for FreeBSD,” said Sean Snyder, Xinuos president and chief executive officer. “We look forward to seeing the innovative work that continues to come from the HardenedBSD project.”

About Xinuos, Inc.

Xinuos provides commercial customers with operating systems that are reliable, dependable and secure for mission-critical applications that demand rock-solid performance. The Xinuos general-purpose operating systems are on pace with hardware and software industry advances and are designed to power any size business that requires stability, reliability and scalability. Learn more at www.xinuos.com.

Xinuos Media Contact

Rosie Hausler
Phone		+1 (425) 301-6740
Email		rosie.hausler@soundcmo.com
Internet	http://www.xinuos.com

August HardenedBSD Status Report

Submitted by Shawn Webb on

We at HardenedBSD have decided to do a periodic (likely quarterly) status report in order to keep the community informed of what's going on in HardenedBSD. So here goes the first status report:

The Call for Donations is going well. We have raised nearly $1,000 USD of our goal of $7,000 USD. The Internet Systems Consortium, the people behind BIND and ISC-DHCPD, have offered to match donations up to $1,000 USD. We've decided to run the donations until November 30th. We appreciate all the help and support from the community. We're excited to see where this round of donations takes us. We plan to start the 501(C)(3) organization investigation in January.

We added Brian Salcedo as an official developer, tasked with rewriting secadm nearly from scratch. He has been hard at work revamping how the rules are stored in the kernel. As part of the rewrite, he'll include ugidfw(8) functionality. The basic rewrite is 100% complete and pending a thorough code review. We're hoping to have a beta released soon.

We have started storing a cache of secadm rules for applications that are known to misbehave with our awesome enhancements. If you have a secadm rule for an application and would like to see it up there, please send us either a Pull Request on GitHub or email us a patch. Feel free to also drop in IRC and let us know. Oliver has created a little script to help in rule validation.

Shawn has been working with the OPNSense team to deliver quality builds based on HardenedBSD. Experimental builds have been posted here, the latest build being hbsd-exp-05. Work is in progress to provide a binary upgrade path and an official download location. Shawn has also been working with Baptiste Darrousin from the FreeBSD project to test his RELRO patch. The RELRO patch is in the hardened/current/unstable branch and is undergoing extensive testing, including a full package build with a number of packages being compiled with RELRO. We hope to have the RELRO patch merged into the hardened/current/master branch within the next week or two. Shawn is also preparing to give a number of presentations. He'll be speaking at vBSDcon, DerbyCon, and BSidesDC. The BSidesDC will be a recorded, four-hour presentation diving deep into HardenedBSD's internals.

Oliver has been working hard on bringing FORTIFY_SOURCE to FreeBSD for his Google Summer of Code project. He has made a lot of progress. He's currently splitting the work out into smaller patches for easier review by the FreeBSD development team. It builds fine with both clang and gcc. He also backported our ASLR code to 10-STABLE. Oliver also has been keeping tabs on HardenedBSD's infrastructure, ensuring everything runs smoothly. We had a failing disk earlier this week on our Jenkins machine and we got that replaced within a few hours. The main CPU fan pinout on the motherboard of the package building server has stopped working. Luckily there's a second pinout for an additional CPU fan. The motherboard should be under warranty. As a bandaid, the CPU fan was moved to the second pinout. We'll be working on replacing the motherboard through the normal warranty process soon.

A user reported having issues with golang on HardenedBSD. After some digging, we found out that in golang versions prior to 1.5, COMPAT_FREEBSD32 needs to be enabled in your kernel config. We have removed it from the HARDENEDBSD kernel config. Golang version 1.5, which is already in the ports tree, fixes this. We will be following up with a new package build soon.

Call For Donations

Submitted by Shawn Webb on

It takes a lot to run a project like HardenedBSD. In 2014, we asked the community for help in funding a development server. The community responded quickly and our server was fully-funded within a short amount of time. That server is now being put to great use as our package building server. We appreciate all the help everyone has given us to date.

We would like to ask the community today for further donations. Our target is $7,000 USD. The funds will go towards hardware updates, hosting requirements, and potentially setting up a not-for-profit (501(c)(3)) organization so further donations will become tax-deductible.

If you'd like to donate, please hit the donate link at the top-left portion of the site (which forwards to PayPal -- shawn.webb@hardenedbsd.org). If you donate and wish your name to be added to the Donors page, please drop an email to core@hardenedbsd.org. We also accept BitCoin at address 1FmbSRvZK4yC1b6ajeZWSvYXV2nmvwdWQq. Every donation counts and is appreciated, even donations as small as $1.00 USD.

Announcing ASLR Completion

Submitted by Shawn Webb on

Over the July 4th weekend, we implemented randomization of the VDSO (Virtual Dynamic Shared Object). The VDSO is a spot in memory that is shared between the kernel and userland memory. It contains the signal trampoline and time-related code (like gettimeofday(2)). Randomizing the VDSO was the last piece of the address space to randomize. Now that it is implemented, our ASLR implementation is now complete. Our version of ASLR is the strongest form ever implemented in any BSD operating system. Read on for the full feature list.

Introducing True Stack Randomization

Submitted by Shawn Webb on

When we first implemented ASLR for FreeBSD, we implemented the stack randomization portion as a random gap. This means that the base address for the stack remained constant, but where applications started utilizing the stack would change randomly. We have now implemented true stack randomization. The base address for the stack is now randomized. We still utilize a random stack gap on top of true stack randomization to provide further entropy and security. This means that we can effectively achieve 42 bits of entropy for the stack.

Seeking Package Mirrors

Submitted by Shawn Webb on

HardenedBSD is gaining a lot of traction. We maintain our own packages to ensure proper ABI/API compatibility with HardenedBSD. We are looking for those who would be interested in mirroring our package repositories. You'd be looking at 2x50GB per repository. Right now, we only have one repo for 11-CURRENT/amd64. But we will soon be expanding to also building 10-STABLE/amd64 packages as well. We are currently restructuring the way our repo works. Of course, if you decide to become an official mirror, your name will be listed on our donors page. We appreciate the help and support the community has given us already and we look forward to working further with the community as we grow. Please contact us at core@hardenedbsd.org to discuss further details.

Poll: linuxulator Removal

Submitted by Shawn Webb on

Body: 

The linuxulator (the Linux emulation/translation layer in FreeBSD) has recently undergone a major overhaul. Many of FreeBSD's userbase relies on the linuxulator to provide things like the Adobe Flash Player browser plugin, linux browsers, and certain linux-centric tasks. The linuxulator provides a set of security challenges. It is yet another attack vector. The core HardenedBSD team would like to completely remove the linuxulator from HardenedBSD's codebase.

What would be removed:

  1. linuxulator and its dependents
  2. linprocfs (pending investigation, this might not be removed)
  3. packages that require the linuxulator

Should the linuxulator be removed?

Yes
66% (133 votes)
No
34% (70 votes)
Total votes: 203

Pages

Subscribe to HardenedBSD RSS